[dist] Improve release validation checks

Author: Breakthrough

RELEASE-PLAN.md

@@ -46,8 +46,8 @@ Optional: version referenced below as `X.Y[.Z]` - replace with the real version
 - [ ] Approve code signing request on SignPath, download `scenedetect-signed.zip`
 - [ ] Finalize Windows artifacts locally (CI can't do this - signing happens after the AppVeyor build, so the signed-exe swap and hashing must run locally):
   - Create `dist/signed/` and copy in both `scenedetect-signed.zip` (from SignPath) and `PySceneDetect-X.Y.Z-win64.zip` (from the AppVeyor `PySceneDetect-win64` artifact).
-  - Run `python scripts/finalize_windows_dist.py`. This swaps the signed `scenedetect.exe` into the portable `.zip`, repacks it with 7-Zip, copies out the signed `.msi`, and writes `PySceneDetect-X.Y.Z-win64.manifest.json` + `SHA256SUMS`.
-- [ ] Draft release on Github using the tagged commit: include full changelog & release notes, signed portable .ZIP, signed .MSI installer, Python .whl/.tar.gz packages, and checksum manifests (`PySceneDetect-X.Y.Z.manifest.json` + `SHA256SUMS`)
+  - Run `python scripts/finalize_windows_dist.py`. This swaps the signed `scenedetect.exe` into the portable `.zip`, repacks it with 7-Zip, copies out the signed `.msi`, writes `PySceneDetect-X.Y.Z-win64.manifest.json` + `SHA256SUMS`, and then runs `scripts/validate_release.py` to verify filenames, hashes, Authenticode signatures, MSI/zip parity, and frozen `.exe` smoke tests.
+- [ ] Draft release on Github using the tagged commit: include full changelog & release notes, signed portable .ZIP, signed .MSI installer, Python .whl/.tar.gz packages, and checksum manifests (`PySceneDetect-X.Y.Z-win64.manifest.json` + `SHA256SUMS`)
 - [ ] Verify all artifacts uploaded to Github release are valid and named correctly
 - [ ] Smoke-test all release artifacts
 

scripts/_release_common.py

@@ -0,0 +1,109 @@
+#
+#            PySceneDetect: Python-Based Video Scene Detector
+#   -------------------------------------------------------------------
+#     [  Site:    https://scenedetect.com                           ]
+#     [  Docs:    https://scenedetect.com/docs/                     ]
+#     [  Github:  https://github.com/Breakthrough/PySceneDetect/    ]
+#
+# Copyright (C) 2026 Brandon Castellano <http://www.bcastell.com>.
+# PySceneDetect is licensed under the BSD 3-Clause License; see the
+# included LICENSE file, or visit one of the above pages for details.
+#
+"""Shared helpers for Windows release-finalization and validation scripts."""
+
+import hashlib
+import re
+import shutil
+import subprocess
+import sys
+import zipfile
+from pathlib import Path
+
+CHUNK = 1 << 20  # 1 MiB
+
+
+def msi_version(raw: str) -> str:
+    # Mirror scripts/update_installer.py - artifact filenames use the
+    # normalized X.Y.Z form, not the raw Python __version__.
+    parts = [re.split(r"[^\d]", p, maxsplit=1)[0] for p in raw.split(".")]
+    while len(parts) < 3:
+        parts.append("0")
+    return ".".join(parts[:4])
+
+
+def find_7zip() -> Path:
+    for candidate in (
+        Path(r"C:\Program Files\7-Zip\7z.exe"),
+        Path(r"C:\Program Files (x86)\7-Zip\7z.exe"),
+    ):
+        if candidate.exists():
+            return candidate
+    on_path = shutil.which("7z") or shutil.which("7z.exe")
+    if on_path:
+        return Path(on_path)
+    sys.exit("7-Zip not found. Install from https://www.7-zip.org/.")
+
+
+def sha256_file(path: Path) -> str:
+    h = hashlib.sha256()
+    with path.open("rb") as f:
+        for block in iter(lambda: f.read(CHUNK), b""):
+            h.update(block)
+    return h.hexdigest()
+
+
+def hash_zip_contents(zip_path: Path) -> list[dict]:
+    entries = []
+    with zipfile.ZipFile(zip_path) as zf:
+        for info in sorted(zf.infolist(), key=lambda i: i.filename):
+            if info.is_dir():
+                continue
+            h = hashlib.sha256()
+            with zf.open(info) as f:
+                for block in iter(lambda: f.read(CHUNK), b""):
+                    h.update(block)
+            entries.append(
+                {
+                    "path": info.filename,
+                    "size": info.file_size,
+                    "sha256": h.hexdigest(),
+                }
+            )
+    return entries
+
+
+def verify_authenticode(path: Path) -> None:
+    """Bail unless `path` carries a Valid Authenticode signature.
+
+    Catches the wrong-artifact case: e.g. someone drops the AppVeyor
+    pre-signing bundle into dist/signed/ instead of the SignPath output.
+    PowerShell's Get-AuthenticodeSignature works on both .exe and .msi.
+    """
+    if sys.platform != "win32":
+        print(f"  (skipping Authenticode check for {path.name} on non-Windows)")
+        return
+    ps_cmd = (
+        f"$sig = Get-AuthenticodeSignature -FilePath '{path}'; "
+        "Write-Output $sig.Status; "
+        "if ($sig.SignerCertificate) { Write-Output $sig.SignerCertificate.Subject }"
+    )
+    result = subprocess.run(
+        ["powershell", "-NoProfile", "-Command", ps_cmd],
+        capture_output=True,
+        text=True,
+        check=False,
+    )
+    lines = [line.strip() for line in result.stdout.splitlines() if line.strip()]
+    if result.returncode != 0 or not lines:
+        sys.exit(
+            f"Authenticode check for {path.name} failed to run.\n  stderr: {result.stderr.strip()}"
+        )
+    status = lines[0]
+    subject = lines[1] if len(lines) > 1 else "<no certificate>"
+    print(f"  Authenticode: {status} ({subject})")
+    if status != "Valid":
+        sys.exit(
+            f"Authenticode check FAILED for {path.name}: status={status!r}. "
+            "Verify scenedetect-signed.zip is the SignPath output, not an "
+            "unsigned AppVeyor artifact."
+        )

scripts/finalize_windows_dist.py

@@ -31,9 +31,7 @@
 """
 
 import argparse
-import hashlib
 import json
-import re
 import shutil
 import subprocess
 import sys
@@ -44,102 +42,22 @@
 
 REPO_DIR = Path(__file__).resolve().parent.parent
 sys.path.insert(0, str(REPO_DIR))
+sys.path.insert(0, str(Path(__file__).resolve().parent))
 
 import scenedetect  # noqa: E402
 
-CHUNK = 1 << 20  # 1 MiB
-
-
-def msi_version(raw: str) -> str:
-    # Mirror scripts/update_installer.py / generate_manifest.py - artifact
-    # filenames use the normalized X.Y.Z form, not the Python __version__.
-    parts = [re.split(r"[^\d]", p, maxsplit=1)[0] for p in raw.split(".")]
-    while len(parts) < 3:
-        parts.append("0")
-    return ".".join(parts[:4])
-
+import validate_release  # noqa: E402
+from _release_common import (  # noqa: E402
+    find_7zip,
+    hash_zip_contents,
+    msi_version,
+    sha256_file,
+    verify_authenticode,
+)
 
 VERSION = msi_version(scenedetect.__version__)
 
 
-def find_7zip() -> Path:
-    for candidate in (
-        Path(r"C:\Program Files\7-Zip\7z.exe"),
-        Path(r"C:\Program Files (x86)\7-Zip\7z.exe"),
-    ):
-        if candidate.exists():
-            return candidate
-    on_path = shutil.which("7z") or shutil.which("7z.exe")
-    if on_path:
-        return Path(on_path)
-    sys.exit("7-Zip not found. Install from https://www.7-zip.org/.")
-
-
-def sha256_file(path: Path) -> str:
-    h = hashlib.sha256()
-    with path.open("rb") as f:
-        for block in iter(lambda: f.read(CHUNK), b""):
-            h.update(block)
-    return h.hexdigest()
-
-
-def hash_zip_contents(zip_path: Path) -> list[dict]:
-    entries = []
-    with zipfile.ZipFile(zip_path) as zf:
-        for info in sorted(zf.infolist(), key=lambda i: i.filename):
-            if info.is_dir():
-                continue
-            h = hashlib.sha256()
-            with zf.open(info) as f:
-                for block in iter(lambda: f.read(CHUNK), b""):
-                    h.update(block)
-            entries.append(
-                {
-                    "path": info.filename,
-                    "size": info.file_size,
-                    "sha256": h.hexdigest(),
-                }
-            )
-    return entries
-
-
-def verify_authenticode(path: Path) -> None:
-    """Bail unless `path` carries a Valid Authenticode signature.
-
-    Catches the wrong-artifact case: e.g. someone drops the AppVeyor
-    pre-signing bundle into dist/signed/ instead of the SignPath output.
-    PowerShell's Get-AuthenticodeSignature works on both .exe and .msi.
-    """
-    if sys.platform != "win32":
-        print(f"  (skipping Authenticode check for {path.name} on non-Windows)")
-        return
-    ps_cmd = (
-        f"$sig = Get-AuthenticodeSignature -FilePath '{path}'; "
-        "Write-Output $sig.Status; "
-        "if ($sig.SignerCertificate) { Write-Output $sig.SignerCertificate.Subject }"
-    )
-    result = subprocess.run(
-        ["powershell", "-NoProfile", "-Command", ps_cmd],
-        capture_output=True,
-        text=True,
-        check=False,
-    )
-    lines = [line.strip() for line in result.stdout.splitlines() if line.strip()]
-    if result.returncode != 0 or not lines:
-        sys.exit(
-            f"Authenticode check for {path.name} failed to run.\n  stderr: {result.stderr.strip()}"
-        )
-    status = lines[0]
-    subject = lines[1] if len(lines) > 1 else "<no certificate>"
-    print(f"  Authenticode: {status} ({subject})")
-    if status != "Valid":
-        sys.exit(
-            f"Authenticode check FAILED for {path.name}: status={status!r}. "
-            "Verify scenedetect-signed.zip is the SignPath output, not an "
-            "unsigned AppVeyor artifact."
-        )
-
-
 def extract_signed_bundle(signed_zip: Path, dest: Path) -> tuple[Path, Path]:
     print(f"Extracting {signed_zip.name}...")
     with zipfile.ZipFile(signed_zip) as zf:
@@ -274,6 +192,10 @@ def main() -> None:
         print(f"Copied signed MSI -> {msi_dest.name}")
         write_manifests(staging, portable_zip, msi_dest)
 
+    print()
+    print("Validating finalized artifacts...")
+    validate_release.run_all_checks(staging)
+
 
 if __name__ == "__main__":
     main()